Published in the Internet Law Bulletin, 2 1999.
On the 50th anniversary of the signing of the Universal Declaration of Human Rights in December 1998, 33 nations, including Australia, bowed to US demands to further restrict the export of cryptography software, tools which are often used by human rights organisations to inform the world of atrocities committed by repressive governments.
The Wassenaar Arrangement, which was originally established in 1996 to control the export of strategic military weapons, has now extended its scope to include mass market encryption tools, in a move that has been greeted with widespread disapproval around the globe.
Encryption of data is now an essential tool for many businesses and governments to protect valuable confidential information both when it is stored in their computer systems and when it is transmitted from one location to another over a public network such as the Internet. For individuals, encryption is an extremely valuable tool to protect private information or communications.
Sophisticated cryptographic software is now readily available, including many high quality public domain offerings such as PGP offered free of charge on the Internet. Despite this, governments throughout the world attempt to control the proliferation of strong encryption products as if they were military weapons.
Encryption methods can be categorised by the size of the key which is used to encrypt or decrypt a message. Typically, a 40-bit key is considered weak and easily broken by a "brute force" attack, i.e. trying one key combination after another until the correct one is found. 56-bit keys are commonly used in banking applications using an algorithm known as the Data Encryption Standard (DES). However, this algorithm is today considered to have a very limited life span. Most cryptography experts today would recommend 90-128 bits as the desirable minimum key length for the foreseeable future. (1)
In the past, cryptography was carefully restricted by governments and their military intelligence organisations, which meant that it was easy for governments to control the privacy of individuals. Agencies could eavesdrop on private communications in the confidence that an intercepted message would be be easily understood.
The wide availability of strong cryptography has fundamentally shifted the power base to the extent that individuals can now largely control their own privacy if they so desire. Governments and their law enforcement and national security agencies are uncomfortable about this recent shift in power. In response, the governments in many countries have conspired to control access to strong cryptography by restricting exports. The Walsh Report (2) raised doubts about the effectiveness of such controls, particularly in this era of global electronic transfer of data.
Australia imposes strict controls over the export of all cryptographic products, both hardware and software. These controls are administered by the Director, Strategic Trade Policy and Operations (STPO), part of the Defence Acquisition Organisation. With one major exception (the General Software Note) the Australian controls are based on obligations under the international Wassenaar Arrangement.
The Australian position on cryptographic export controls can be found in the Customs (Prohibited Exports Regulations) - Schedule 13E and the Customs Act 1901 Section 112 (Prohibited Exports). Items prohibited under this legislation are listed in the Defence and Strategic Goods List of the Australian Controls on the Export of Defence and Strategic Goods (3). Crypto software is identified under Part 3, Category 5/2 of the list.
Under these regulations, all cryptography software requires a permit or a license before it can be exported. Evaluation of license applications is carried out by the cryptographic evaluation section of the Defence Signals Directorate, the body responsible for Australia's external security.
An exception to the export rules is the Personal Use Exemption, which allows encryption software to be taken out of the country under defined conditions, e.g. installed on a notebook computer. No permit is required in this case, although strict conditions must be adhered to. There are also exemptions for authentication-only products and limited application devices such as ATMs and smartcard readers.
The Wassenaar Arrangement
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is an international agreement established in 1996. It is the successor regime to the Co-ordinating Committee for Multilateral Export Controls (COCOM) established by NATO in 1949 to control the export of military equipment and dual-use technologies to Warsaw Pact states. Negotiations to establish a successor regime to COCOM commenced in 1993 and COCOM was terminated in March 1994.
The basic objective of the Wassenaar Arrangement is to prevent the acquisition of conventional arms and sensitive dual-use technologies for military end-uses by States whose behaviour is, or becomes, a cause for serious international concern. It is designed to complement existing weapons control and non-proliferation regimes (the Missile Technology Control Regime, the Nuclear Suppliers Group and the Australia Group) and is not intended to impede bona fide civil transactions.
The 33 participating states are:
Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech
Republic, Denmark, Finland, France, Germany, Greece, Hungary,
Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand,
Norway, Poland, Portugal, Republic of Korea, Romania, Russian
Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey,
Ukraine, United Kingdom and United States. (4)
The Dual-Use section of the Arrangement forms the basis for most national controls over the export of cryptography products. However, the control lists established in 1996 provided an exemption, called the General Software Note, for export of mass market software, defined in short as software readily available for retail sale. It also exempted software that was in the public domain. For some reason, Australia declined to allow these exemptions and currently the export of any encryption software from Australia requires a permit or license.
The Wassenaar Arrangement was due for renewal at the end of 1998, otherwise it would have lapsed. Prior to 1998, little attention had been focussed on the agreement, with most of the international controversy about crypto policy being directed at US export controls. However, in mid 1998 Electronic Frontiers Australia (EFA) announced a campaign with the dual aims of reforming Australian export policy and pushing for an end to Wassenaar controls over commercial encryption products.
Quite coincidentally, there was major media exposure at this time concerning the embarrassment of the Australian delegate to a Wassenaar round in April, when questions were asked by other delegates about Australia's failure to prevent the release of the Cryptozilla web browser on the Internet. Cryptozilla was based on the Netscape open source code, which was released globally on April 1 1998 with the cryptographic modules removed. The crypto functionality was restored by utilising the Australian-developed SSLeay crypto toolkit.
The media reports suggested that the Defence Department was considering prosecution of the Brisbane-based Cryptozilla team under the Weapons of Mass Destruction Act, since a Customs Act prosecution was considered unlikely to succeed in the case of intangible exports. Fortunately, common sense reigned and no prosecution was launched. Had it been otherwise, there would undoubtedly have been a global outcry which would have made martyrs out of the Cryptozilla group's leaders, Eric Young and Tim Hudson, who had established a solid international reputation for their work in developing the SSLeay package.
It was thought that Australia would be supporting changes to the Wassenaar cryptography lists at a working group meeting in September 1998, namely the introduction of controls over mass market and public domain software and the inclusion of a statement on controls over intangible exports. EFA then became instrumental in leading a global campaign against these changes, culminating in a statement by 24 members of the Global Internet Liberty Campaign which was sent to the Wassenaar Secretariat in September 1998. The essence of this statement was a plea for the Wassenaar representatives to remove cryptography from the contol lists, on the grounds that it was a defensive tool and not a weapon.
Prior to this time the Wassenaar Secretariat was a somewhat secretive, if not reclusive, international agency in Vienna. It must have been an unusual experience for them to receive visits from several civil liberties groups around the time of their September working group meeting.
Unsurprisingly, the Wassenaar crypto expert group made no announcements in September. However, word filtered out that plans to tighten controls had not reached agreement and that a decision would be made prior to the plenary meeting in December. At around the same time a controversy erupted in Europe over the Echelon global surveillance system, amid concerns that the US was able to monitor the communications of its European allies. Perhaps this influenced the Wassenaar delegates to proceed cautiously.
Early information leaked from the December meeting suggested that the control list would at the very least be unchanged. Unfortunately, this early optimism proved to be unfounded. David Aaron, the roving US "ambassador for cryptography controls" gleefully trumpeted the news before the session had even ended that the US had convinced the delegates to support controls over mass market software, a move that would effectively bind the other nations to support existing US policy.
There was even blacker news for the European civil liberties groups. On the very same day, the European Council of Ministers announced plans to allow law enforcement surveillance of realtime land-based and satellite communications without court authorization. (5)
The main changes to the Wassenaar Arrangement announced in respect of cryptography were:
The full control list is available on the Wassenaar Secretariat website (6). This publication in itself was one bright spot in the saga. Until recently, the actual detail of the Arrangement was a closely guarded secret and only snippets had been available for scrutiny, and even then only from unofficial sources. The open publication of the lists is perhaps a sign that the signatory nations recognise that they can no longer make their decisions in secret and that greater transparency is needed. EFA has compiled an extract of the changes that relate to cryptography controls. (7)
Has Wassenaar infringed its own Articles?
Article 4 of The Initial Elements of the Wassenaar Arrangement adopted by the national representatives in 1996 states (8):
The Wassenaar Arrangment is already interpreted by some nations, including Australia, as a justification for restricting the export of commercial products, clearly an infringement of Article 4 which states that the arrangement "will not impede bona fide civil transactions". The new lists may well encourage other countries to adopt a similar policy. As electronic commerce becomes more widely deployed, export restrictions will begin to have a devastating effect because of the dependency on encryption for secure communications.
In Gladman's view, the dual breach of Article 4 of the Initial Elements may well provide grounds for a legal challenge against export controls where the Wassenaar Arrangement is used to justify them.
An Intangible Problem
A further issue that remains a matter of controversy is the question of intangible exports via electronic networks such as the Internet. The USA is presently the only country that has implemented regulations restricting intangibles, but several challenges on First Amendment grounds are currently before the courts. One problem with unilateral polices such as this is that it encourages companies to move offshore to a more receptive environment. There is evidence that this has occurred, with countries such as Ireland offering incentives to companies to establish there, a policy that appears to paying dividends for that country.
The UK government has recently announced its intention to introduce a Secure Electronic Commerce Bill based on Department of Trade and Industry Proposals that have been floated for about 12 months. The plans include an intention to impose controls on intangible exports, a measure that has attracted widespread criticism.
Restricting intangible exports is not simply a matter of applying conventional customs law to a new method of transport. There are no customs officers on the electronic borders, in fact the very notion of borders becomes problematical in view of the fact that it is almost as easy to store files on a computer on the other side of the world as on one's desk. Enforcement of any such regulations is therefore well nigh impossible and an unenforceable law might as well not be passed.
A further problem is that intangible goods are difficult to distinguish from ideas, and it is hard to imagine a more chilling prospect than that of containing the communication of thoughts. International research collaboration in the mathematics of cryptography would need to come to a virtual standstill and academic freedom would be severely constrained.
In Australia, there is recognition of the limitations of existing export laws (10), and an apparent desire by authorities to close the intangibles loophole. To date, there has been no indication that such a proposal would be put forward, but the UK moves in this direction will no doubt be watched with great interest in Canberra. Wassenaar itself is silent on the intangibles question, leaving it up to individual countries to determine policy.
The Future
To date, there has been no announcement by any country about a change in regulations to conform to the revised Wassenaar Agreement. Australia had initially been expected to move quickly but no changes have been announced to date. However, the recent awarding of an export license to the new Australian subsidiary of RSA is seen by some as a softening in attitude that may augur well for the winds of change to sweep through the corridors of the Defence Department.
France has recently made a dramatic turnaround in its attitude towards cryptography. Previously a nation with one of the most restrictive laws banning even domestic use of cryptography, the country has recently announced a reversal of policy and now endorses strong encryption for all. This is believed to be prompted by a perception, founded on firm evidence, that the US is eavesdropping on the entire planet and that other nations need to protect themselves from the tappers.
It remains to be seen whether these actions might be but the first signs of a global breakaway movement.
References
Minimal Key Lengths For Symmetric Ciphers To Provide Adequate
Commercial Security. A Report By An Ad Hoc Group Of Cryptographers
And Computer Scientists.
http://www.bsa.org/policy/encryption/cryptographers_c.html
Review of Policy Relating to Encryption Technologies. The Walsh
Report.
http://www.efa.org.au/Issues/Crypto/Walsh
Australian Controls on the Export of Defence and Strategic Goods.
http://www.dao.defence.gov.au/exportcontrols/dld_dsgl.html
Wassenaar Secretariat, Vienna,, Austria.
http://www.wassenaar.org
Europe is Listening. Wired Magazine, December 1988.
http://www.wired.com/news/news/politics/story/16588.html
Wassenaar Arrangement Control List.
http://www.wassenaar.org/List/Table%20of%20Contents%20-%2098web.html
Extract of December 1998 changes to Wassenaar cryptographic controls.
Electronic Frontiers Australia.
http://www.efa.org.au/Issues/Crypto/wass98.html
Wassenaar Arrangement, Initial Elements.
http://www.wassenaar.org/docs/IE96.html
The Wassenaar Arrangement and Controls on Cryptographic Products
Dr.Brian Gladman, 1998.
http://jya.com/bg/wassenaar.pdf
Distributing encryption software by the Internet: Loopholes in Australian export controls.
Patrick Gunning, Mallesons Stephen Jacques, 1998.
http://www2.austlii.edu.au/itlaw/articles/Gunning_Encryption.html